While this is an ongoing relationship, recall that the famous Target hack that happened a few years ago was suspected to have originated with the HVAC vendor that had remote access to the Target systems. This is an example of the security concerns around IoT: The folks who are typically deploying the IoT systems don’t have the background or training that those of us in IT do. We take into consideration the security vulnerabilities when deploying technology.
The problem with cybersecurity is it’s never a point-in-time issue; the threats continue to evolve and get more sophisticated. The hackers always have access to better tools, so it’s the responsibility of the IT department or the IT service provider to treat those devices on the network as if they were PCs or servers or anything else they maintain.
It’s our job to tell the client that the IoT devices on the network are going to be scanned for vulnerabilities. If anything comes up, we will have to address those things because we want to keep the network safe. We use tools and we scan everything for known vulnerabilities—servers, printers, firewalls, surveillance video cameras, switches—everything that is on the network.
If a client adds a surveillance system with an IP address, we’re going to scan that as well. If there are any vulnerabilities, we’ll bring those to the attention of our clients. If the surveillance system is being maintained under contract by the company that installed it, we’ll reach out to them and tell them we need to update it with a patch.
There’s a tendency for the IT department to try to avoid any involvement with projects that are not IT-related. We’ll say, “This is a digital signage system so why should we care about it?” This resistance is usually why LOB decision makers don’t involve IT—they know they are going to get push back. It’s important for IT and IT service providers to recognize that IoT devices are going to become more and more prevalent on our networks; we have to embrace them and work with the LOB folks to make deployment happen in a more controlled manner. We need to say to LOB managers that we know you are going to do this—let’s do it cooperatively and let’s make sure we take into account all the issues that revolve around deploying this technology.
In some cases, this may mean creating a parallel network that coexists with the IT network but doesn’t cross into it so you can create private IP addresses that don’t conflict with anything on your IT network. Creating a subnetwork is also an option—something we did with one of our clients that deployed a bunch of new smart copiers on their network. When the client ran out of IP addresses, we reengineered their network and created VLANs specifically for those devices and assigned them to a separate subnet.
My Job as a Service Provider
As an IT service provider, we try to keep in mind the business outcomes that the client wants and work to that business outcome. It shouldn’t be about turf wars. It should be about what the client needs and how we do that in the most cost-effective way for them.
Sometimes it’s about having a very candid conversation with the client. What we can’t do is say, “I don’t want that on my network,” because it’s not our network—it’s our client’s network. If the client has made a business decision to put technology that is not typical IT and more from the OT world, we need to embrace that and figure out how to make that happen. We need to keep the client informed about what the risks are, if any, and what issues need to be resolved to get that technology installed.